Introduction

In an Active Directory (AD) you must have an accurate time synchronisation. For example, Kerberos requires correct time stamps to prevent replay attacks and the AD uses the time to resolve replication conflicts. The default maximum allowed time deviation in an AD is 5 minutes. If a domain member or domain controller (DC) has a higher or lower time difference, the access is denied. As a result, a user cannot access shares or query the directory.

Samba supports the ntpd from http://ntp.org. The daemon synchronises the time with external sources and enables clients to retrieve the time from the server running the daemon.

By default domain joined Windows clients synchronize their clock via NT5DS with the AD-DC which holds the PDC-emulator FSMO role.
The NT5DS protocol uses digital signatures. These can be provided by Samba if ntp runs on the same server, and is configured as described on this page (with options mssntp and ntpsigndsocket).
Alternatively you could configure all machines to do standard ntp, but NT5DS is recommended.

Note that ntpd does not support authenticated time synchronisation with Windows 2000 clients.

Configuring Time Synchronisation on a DC

Requirements

ntpd >= 4.2.6 from http://www.ntp.org, compiled with enabled signed ntp support (--enable-ntp-signd)

Verify the socket permissions on your domain controller (DC). The ntpd daemon must have read permissions in the ntp_signed directory. To list the permissions, enter:

Configuring Time Synchronisation on a Windows Domain Member

The following describes the basics of how to configure time synchronizsation on a Windows domain member. For further details, see your Microsoft Windows documentation.

Default Time Source

Windows AD domain members use the DC holding the PDC emulator FSMO role as default time source. If you have set up ntp on the DC as described on this page, you usually do not need to reconfigure the clients. Alternative configuration options for the clients are described below.

Setting User Defined Time Sources and Options

To create a group policy object (GPO) to for setting a user defined NTP time source and options:

Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain Administrator account.

Open the Group Policy Management Console. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.

Right-click to your AD domain and select Create a GPO in this domain, and Link it here.

Enter a name for the GPO, such as Time Sources. The new GPO is shown below the domain entry.

Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.

Navigate to the Computer Configuration → Policies → Administrative Templates → System → Windows Time Service → Time Providers entry, and double-click Configure Windows NTP Client to configure the policy:

Enable the policy and set the following options:

Enter the fully-quallified domain name (FQDN) of the NTP server to the NtpServer field and and append the 0x9 flag. For example:

To enter multiple server, separate the individual entries using a space.

Keep the NT5DS type setting.

Update the additional parameters, if necessary.

Click OK to save the settings.

Navigate to the Computer Configuration → Policies → Administrative Templates → System → Windows Time Service → Time Providers entry, and double-click Enable Windows NTP Client to configure the policy:

Enable the policy.

Click OK to save the settings.

Close the Group Policy Management Editor.

Close the Group Policy Management Console.

Notes:

The default Type NT5DS ignores the parameter NtpServer, and syncs with the DC.

If ntpd on your DC is not configured for mssntp with ntpsigndsocket, use Type NTP.

If a client will not be able to connect to the DC for a long time (for example a laptop), use Type AllSync and set NtpServer to "time.windows.com,0x9". This will cause the client to try both NT5DS to your DC, and NTP to NtpServer.